Insights, news, education and announcements from PolySwarm

APT24’s BadAudio

Written by The Hivemind | Dec 5, 2025 7:11:03 PM

Verticals Targeted: Digital Marketing, Industrial Sectors, Recreational Goods, Animal Rescue Organizations
Regions Targeted: Taiwan
Related Families: Cobalt Strike

Executive Summary

People’s Republic of China actor APT24 has sustained a three year espionage operation centered on the heavily obfuscated BadAudio downloader, shifting from broad strategic web compromises to more precise vectors, including repeated supply-chain attacks against a Taiwanese digital marketing firm and tailored spear-phishing campaigns.

Key Takeaways

  • BadAudio is a C++ first-stage downloader that employs control-flow flattening, hard-coded AES encryption, and cookie-based beaconing to deliver in-memory payloads, including Cobalt Strike Beacon in confirmed cases.
  • Delivery evolved from opportunistic injection of FingerprintJS-driven malicious JavaScript into dozens of legitimate websites to large-scale supply-chain compromise of a regional marketing firm affecting over 1,000 domains.
  • Recent activity features multi-layered execution chains using encrypted archives, VBS/BAT/LNK side-loading, and DLL Search Order Hijacking for persistence.

What is BadAudio?

Google Threat Intelligence Group has tracked APT24, a PRC-nexus espionage actor, conducting a persistent campaign since at least November 2022 that relies on the custom BadAudio downloader to establish initial footholds. Written in C++, BadAudio is deliberately engineered to frustrate analysis through aggressive control-flow flattening. Linear logic is replaced by disconnected code blocks orchestrated by a central dispatcher and state variable, dramatically increasing reverse-engineering effort.

Once executed, typically via DLL Search Order Hijacking, the malware gathers basic host reconnaissance, encrypts it with a hard-coded AES key, and transmits the data inside an HTTP cookie to a C2 domain. The same AES key later decrypts and reflects into memory the second-stage payload retrieved from the server. In analyzed samples, this payload was Cobalt Strike Beacon bearing a watermark previously tied to APT24 activity.

Early distribution leaned heavily on strategic web compromises. Attackers injected malicious JavaScript into legitimate sites covering industrial, recreational, and regional topics. The script first filtered out non-Windows environments, then used FingerprintJS (v2) to compute an x64hash128 browser fingerprint. Victims passing validation were shown fake browser-update pop-ups that dropped BadAudio.

From July 2024 onward, APT24 escalated by repeatedly compromising a single Taiwanese digital marketing firm whose JavaScript library is embedded in over 1,000 regional domains. Multiple re-compromises occurred despite remediation efforts. Intrusions ranged from direct injection of obfuscated code into the library to hiding the final payload inside tampered JSON resources loaded by a compromised parent script. Conditional execution logic initially restricted malicious behavior to specific domains but was briefly removed in August 2025, exposing the entire customer base.

Parallel spear-phishing operations delivered encrypted archives via Google Drive and OneDrive links or direct downloads. Lures impersonated credible entities and incorporated open-tracking pixels to gauge target interest.

Who is APT24?

APT24, also known as Pitty Tiger and Pitty Panda, is a Chinese state-sponsored cyber espionage group active since at least 2008. The group primarily targets organizations in the United States and Taiwan, focusing on sectors such as government, healthcare, construction, engineering, mining, nonprofits, and telecommunications. Their operations center on stealing politically significant documents related to China's territorial and sovereignty disputes, as well as intellectual property that enhances competitive advantages in strategic industries.

APT24 employs sophisticated, multi-vector tactics to infiltrate networks and maintain long-term access. They frequently send phishing emails themed around military operations, renewable energy projects, or business strategies to lure victims into downloading malicious payloads. Once inside, the group compromises legitimate websites by injecting obfuscated JavaScript that fingerprints browsers and displays fake Google Chrome update prompts to deliver malware. 

APT24 is assessed with high confidence as a People's Republic of China (PRC)-nexus actor, likely operating under the direction of Chinese intelligence agencies to advance national interests in geopolitical surveillance and economic dominance. Their adaptive campaigns demonstrate persistent reinfection efforts and evasion techniques, underscoring the evolving threat of nation state-backed espionage.  

IOCs

PolySwarm has multiple samples of BadAudio.

 

9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182

d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8

cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd

f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a


Click here to view all samples of BadAudio in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post